MICROSOFT on Tuesday released patches for 84 new security vulnerabilities across several products, eight of which are rated Critical and 76 as Important, including 46 privilege escalation, 18 remote code execution, 10 information disclosure, four spoofing, four denial-of-service, and two security feature bypass flaws. The two publicly disclosed zero-days are CVE-2026-26127, a denial-of-service in .NET, and CVE-2026-21262, an elevation of privilege flaw in SQL Server, both described as claims in the disclosure.
The vulnerability with the highest CVSS score is CVE-2026-21536, a critical remote code execution flaw in the Microsoft Devices Pricing Program, which Microsoft says has been fully mitigated and requires no action from users. In addition to these, eight Critical and 76 Important CVEs are part of Patch Tuesday, with Edge-related fixes bringing the total number of addressed vulnerabilities since February’s update to follow-on Edge mitigations.
Among the notable issues, an information disclosure flaw in Excel, tracked as CVE-2026-26144 (CVSS 7.5), could enable data exfiltration in a zero-click scenario, according to Microsoft. The company also noted changes to Windows Autopatch, enabling hotpatch security updates by default starting with the May 2026 Windows security update, to help organisations reach faster remediation, according to Microsoft.